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Abstract of CN1 147738 

The present invention consists of five parts including safety controller, system controller, router, safety 
card and safety card vise managing system, and it is mounted between outer Internet and inside net. 
The present system can protect interior resource against damage from illegal access and prevent 
interior data from outputting. It isolates the inside net and outer Internet and performs safety inspection 
to the connection or data from and to the inside net based on the safety regulations set by the system, 
so as to raise the safety of inside net. 
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The translation of Reference 1 : 



Page 1, paragraphs 4-5: 

The task of the present invention is completed in the following way: the system 
consists of five parts including a security manager, a system manager, a router, a 
security card and a security card certificate authority management system. The router 
controls incoming and outgoing data based on set security rules, and the system 
manager implements presetting of the present firewall and setting of security policy 
(jointly referred to as system settings) under the authorization of the security manager, 
and the authorization and authentication of the security manager is confirmed by the 
security card and personal identification number, and the security card is generated 
and managed by the security card certificate authority management system. 

The present invention is mounted between an information provider or an internal 
(private) network and the external Internet, so the present invention can protect 
internal resources against illegal access and damage and prevent the outputting of 
unissued and unauthorized information from internal. The present invention may 
serve as a security router between the internal network and the Internet, may be 
implemented using hardware, and has an extremely fast speed. With anti-prizing 
design, the firewall implements control of data flows between the internal and 
external networks using the currently ripe technology of packet filtering and 
implements security protection and management of the firewall system per se using 
the security card technology. 

Page 3, paragraphs 4-6: 

The present invention may be set using different security rules in accordance with 
different security requirements. We refer to basic setting desired for guaranteeing 
network security as presetting. Presetting is a basic condition to construct the firewall, 
and users must add presetting parameters to user profile when setting the router 
system. The program "system profile confirmation" provided by the system 
management software compares the presetting parameters provided by the present 
invention with operating parameters set by the user so as to confirm whether the 
setting thereof is valid. 

The firewall security rule profile resides in the NVRAM of the router, and it is a basis 
for firewall to "allow/prohibit" connection or access control. To control this setting 
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right actually holds the decisive right of network security control. Thus, the following 
measures are taken: (1) setting the router's AUX backup command port to dedicated 
mode using the presetting, so that a terminal is prohibited from directly logging on the 
router from the port; (2) prohibiting all internal and external users from logging on the 
router from the network through the presetting the router's respective communication 
ports (including the AUX port), and strengthening management of password and 
identity determination upon entrance to the router privilege operating status. In this 
manner, the setting right over the firewall is concentrated on the router's console port 
which is directly connected with the security manager and then is connected to the 
system manager via the security manager. 

Only with the security manager can the system security manager configure the 
firewall system via the terminal and using the inventive system management software. 
Otherwise, the security manager will refuse to convey information. When configuring 
parameters relating to the network security control in the firewall, the system security 
manager must insert the security card into the "security card reader" port of the front 
panel of the firewall and enter correct personal identification number (PIN), and then 
configuration state can be entered. Otherwise, the security manager of the firewall 
will refuse the implementation. 

Page 4, the last paragraph: 

In order to strengthen security management, the present system provides a special 
authorization mechanism for setting firewall parameters. The Transfer Control 
Protocol/Internet Protocol (TCP/IP) are communication protocols of the Internet, and 
computers and network connected thereto are required to install the corresponding 
TCP/IP protocol. According to the TCP/IP protocol, any transmitted data 
(application-layer data) should be segmented into a certain number of small datagram, 
each goes through the transfer layer encapsulation, the IP layer encapsulation and the 
media access layer encapsulation and is transmitted over the physical layer. Data 
encapsulation refers to the procedure when application-layer data passes through each 
layer beneath, each layer adds its unique header to the front of the received data 
segment and then delivers the data segment to the next layer. What is useful to packet 
filtering mainly refers to the header of the transfer layer and the header of the IP layer. 
The TCP/IP format is publicly known, and each data packet contains specific 
information, such as IP source address, IP destination address, protocol type, number 
of source port, and number of destination port. Packet filtering controls the firewall to 
prevent or allow the passing of some packets using the above specific information and 
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routing information determined by the router. 
Page 5, paragraph 2 from the bottom: 

The present invention is mounted between an Internet information provider or an 
internal network or a private network and an external network. The present invention 
uses publicly known technology of packet filtering, whose operating principle is to 
make decisions on the source/destination address or port of an incoming/outgoing 
packet and a corresponding control protocol based on set security rules, decide 
whether the passing of the incoming/outgoing packet be "allowed/prohibited" and 
make a corresponding routing selection. 
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